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Identifying  “revolutions  in  military  affairs”  is  arbitrary,  but  some 
inflection  points  in  technological  change  are  larger  than  others:  for  example, 
the  gunpowder  revolution  in  early  modern  Europe,  the  industrial  revolu¬ 
tion  of  the  nineteenth  century,  the  second  industrial  revolution  of  the 
early  twentieth  century,  and  the  nuclear  revolution  in  the  middle  of  the 
last  century.1  In  this  century,  we  can  add  the  information  revolution  that 
has  produced  today’s  extremely  rapid  growth  of  cyberspace.  Earlier  revolu¬ 
tions  in  information  technology,  such  as  Gutenberg’s  printing  press,  also 
had  profound  political  effects,  but  the  current  revolution  can  be  traced 
to  Moore’s  law  and  the  thousand-fold  decrease  in  the  costs  of  computing 
power  that  occurred  in  the  last  quarter  of  the  twentieth  century. 

Political  leaders  and  analysts  are  only  beginning  to  come  to  terms  with 
this  transformative  technology.  Until  now,  the  issue  of  cyber  security  has 
largely  been  the  domain  of  computer  experts  and  specialists.  When  the 
Internet  was  created  40  years  ago,  this  small  community  was  like  a  vir¬ 
tual  village  of  people  who  knew  each  other,  and  they  designed  an  open 
system  with  little  attention  to  security.  While  the  Internet  is  not  new,  the 
commercial  Web  is  less  than  two  decades  old,  and  it  has  exploded  from  a 
few  million  users  in  the  early  1990s  to  some  two  billion  users  today.  This 
burgeoning  interdependence  has  created  great  opportunities  and  great 
vulnerabilities,  which  strategists  do  not  yet  fully  comprehend.  As  Gen 
Michael  Hayden,  former  director  of  the  CIA  says,  “Rarely  has  something 
been  so  important  and  so  talked  about  with  less  clarity  and  less  apparent 
understanding  [than  cyber  security].  ...  I  have  sat  in  very  small  group 
meetings  in  Washington  .  .  .  unable  (along  with  my  colleagues)  to  decide 
on  a  course  of  action  because  we  lacked  a  clear  picture  of  the  long-term 
legal  and  policy  implications  of  any  decision  we  might  make.”2 
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Nuclear  Lessons  for  Cyber  Security ? 


Governments  learn  slowly  from  knowledge,  study,  and  experience,  and 
learning  occurs  internationally  when  new  knowledge  gradually  redefines 
the  content  of  national  interests  and  leads  to  new  policies.3  For  example, 
the  United  States  and  the  Soviet  Union  took  decades  to  learn  how  to 
adapt  and  respond  to  the  prior  revolution  in  military  affairs — nuclear 
technology  after  1945.  As  we  try  to  make  sense  of  our  halting  responses  to 
the  current  cyber  revolution,  are  there  any  lessons  we  can  learn  from  our 
responses  to  the  prior  technological  transformation?  In  comparison  to  the 
nuclear  revolution  in  military  affairs,  strategic  studies  of  the  cyber  domain 
are  chronologically  equivalent  to  1960  but  conceptually  more  equivalent 
to  1950.  Analysts  are  still  not  clear  about  the  lessons  of  offense,  defense, 
deterrence,  escalation,  norms,  arms  control,  or  how  they  fit  together  into 
a  national  strategy.  After  a  short  overview  of  the  problem  of  cyber  security 
in  the  next  section,  I  will  suggest  several  general  lessons  and  then  discuss 
a  number  of  international  lessons  that  can  be  learned  from  the  nuclear 
experience.  While  the  two  technologies  are  vastly  different,  as  I  will  argue 
below,  there  are  nonetheless  useful  comparisons  one  can  make  of  the  ways 
in  which  governments  learn  to  respond  to  technological  revolutions. 

Cyberspace  in  Perspective 

Cyber  is  a  prefix  standing  for  computer  and  electromagnetic  spectrum- 
related  activities.  The  cyber  domain  includes  the  Internet  of  networked 
computers  but  also  intranets,  cellular  technologies,  fiber-optic  cables,  and 
space-based  communications.  Cyberspace  has  a  physical  infrastructure 
layer  that  follows  the  economic  laws  of  rival  resources  and  the  political 
laws  of  sovereign  jurisdiction  and  control.  This  aspect  of  the  Internet  is 
not  a  traditional  “commons.”  It  also  has  a  virtual  or  informational  layer 
with  increasing  economic  returns  to  scale  and  political  practices  that 
make  jurisdictional  control  difficult.  Attacks  from  the  informational 
realm,  where  costs  are  low,  can  be  launched  against  the  physical  domain, 
where  resources  are  scarce  and  expensive.  Conversely,  control  of  the 
physical  layer  can  have  both  territorial  and  extraterritorial  effects  on  the 
informational  layer.  Cyber  power  can  produce  preferred  outcomes  within 
cyberspace  or  in  other  domains  outside  cyberspace.  By  analogy,  sea  power 
refers  to  the  use  of  resources  in  the  oceans  domain  to  win  naval  battles  on 
the  oceans,  but  it  also  includes  the  ability  to  use  the  oceans  to  influence 
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battles,  commerce,  and  opinions  on  land.  Likewise,  the  same  analogy  can 
be  applied  to  airpower. 

The  cyber  domain  is  a  complex  man-made  environment.  Unlike  atoms, 
human  adversaries  are  purposeful  and  intelligent.  Mountains  and  oceans 
are  hard  to  move,  but  portions  of  cyberspace  can  be  turned  on  and  off  by 
throwing  a  switch.  It  is  cheaper  and  quicker  to  move  electrons  across  the 
globe  than  to  move  large  ships  long  distances  through  the  friction  of  salt 
water.  The  costs  of  developing  multiple  carrier  task  forces  and  submarine 
fleets  create  enormous  barriers  to  entry  and  make  it  possible  to  speak  of 
American  naval  dominance.  In  contrast,  the  barriers  to  entry  in  the  cyber 
domain  are  so  low  that  nonstate  actors  and  small  states  can  play  significant 
roles  at  low  cost. 

The  Future  of  Power  describes  diffusion  of  power  away  from  governments 
as  one  of  the  great  power  shifts  of  this  century.4  Cyberspace  is  a  perfect 
example  of  this  broader  trend.  The  largest  powers  are  unlikely  to  be  able  to 
dominate  this  domain  as  much  as  they  have  others  like  sea,  air,  or  space. 

While  they  have  greater  resources,  they  also  have  greater  vulnerabilities, 
and  at  this  stage  in  the  development  of  the  technology,  offense  domi¬ 
nates  defense  in  cyberspace.  The  United  States,  Russia,  Britain,  France, 
and  China  have  greater  capacity  than  other  state  and  nonstate  actors,  but 
it  makes  little  sense  to  speak  of  dominance  in  cyberspace.  If  anything,  de¬ 
pendence  on  complex  cyber  systems  for  support  of  military  and  economic 
activities  creates  new  vulnerabilities  in  large  states  that  can  be  exploited  by 
nonstate  actors.  Four  decades  ago,  the  Pentagon  created  the  Internet,  and 
today,  by  most  accounts,  the  United  States  remains  the  leading  country 
in  both  its  military  and  societal  use.  At  the  same  time,  however,  because 
of  greater  dependence  on  networked  computers  and  communication,  the 
United  States  is  more  vulnerable  to  attack  than  many  other  countries,  and 
the  cyber  domain  has  become  a  major  source  of  insecurity.5 

The  term  cyber  attack  covers  a  wide  variety  of  actions  ranging  from  simple 
probes,  to  defacing  websites,  to  denial  of  service,  to  espionage  and  destruction.6 
Similarly,  the  term  cyber  war  is  used  very  loosely  for  a  wide  range  of  behav¬ 
iors.  In  this,  it  reflects  dictionary  definitions  of  war  that  range  from  armed 
conflict  to  any  hostile  contention  (e.g.,  “war  between  the  sexes”  or  “war 
on  poverty”).  At  the  other  extreme,  some  use  a  very  narrow  definition  of 
cyber  war  as  a  “bloodless  war”  among  states  that  consists  only  of  conflict 
in  the  virtual  layer  of  cyberspace.  But  this  avoids  important  issues  of  the 
interconnection  of  the  physical  and  virtual  layers  of  cyberspace  discussed 
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above.  A  more  useful  definition  of  cyber  war  is,  hostile  actions  in  cyberspace 
that  have  effects  that  amplify  or  are  equivalent  to  major  kinetic  violence. 

In  the  physical  world,  governments  have  a  near  monopoly  on  large-scale 
use  of  force,  the  defender  has  an  intimate  knowledge  of  the  terrain,  and  at¬ 
tacks  end  because  of  attrition  or  exhaustion.  Both  resources  and  mobility 
are  costly.  In  the  virtual  world,  actors  are  diverse,  sometimes  anonymous, 
physical  distance  is  immaterial,  and  offense  is  often  cheap.  Because  the 
Internet  was  designed  for  ease  of  use  rather  than  security,  the  offense  cur¬ 
rently  has  the  advantage  over  the  defense.  This  might  not  remain  the  case 
in  the  long  term  as  technology  evolves,  including  efforts  at  “reengineer¬ 
ing”  some  systems  for  greater  security,  but  it  remains  the  case  at  this  stage. 

The  larger  party  has  limited  ability  to  disarm  or  destroy  the  enemy,  occupy 
territory,  or  effectively  use  counterforce  strategies.  Cyber  war,  although 
only  incipient  at  this  stage,  is  the  most  dramatic  of  the  potential  threats. 

Major  states  with  elaborate  technical  and  human  resources  could,  in  prin¬ 
ciple,  create  massive  disruption  as  well  as  physical  destruction  through 
cyber  attacks  on  military  as  well  as  civilian  targets.  Responses  to  cyber  war 
include  a  form  of  interstate  deterrence  (though  different  from  classical 
nuclear  deterrence),  offensive  capabilities,  and  designs  for  network  and 
infrastructure  resilience  if  deterrence  fails.  At  some  point  in  the  future,  it 
may  be  possible  to  reinforce  these  steps  with  certain  rudimentary  norms, 
but  the  world  is  at  an  early  stage  in  such  a  process. 

If  one  treats  hacktivism  as  mostly  a  disruptive  nuisance  at  this  stage, 
there  remain  four  major  categories  of  cyber  threats  to  national  security, 
each  with  a  different  time  horizon  and  different  (in  principle)  solutions: 
cyber  war  and  economic  espionage  are  largely  associated  with  states,  and 
cyber  crime  and  cyber  terrorism  are  mostly  associated  with  nonstate  actors. 

For  the  United  States,  at  the  present  time,  the  highest  costs  come  from 
espionage  and  crime,  but  over  the  next  decade  or  so,  war  and  terrorism 
may  become  greater  threats  than  they  are  today.  Moreover,  as  alliances  and 
tactics  evolve  among  different  actors,  the  categories  may  increasingly  over¬ 
lap.  In  the  view  of  ADM  Mike  McConnell,  “Sooner  or  later,  terror  groups 
will  achieve  cyber-sophistication.  It’s  like  nuclear  proliferation,  only  far 
easier.”7  We  are  only  just  beginning  to  see  glimpses  of  cyber  war — for  in¬ 
stance,  as  an  adjunct  in  some  conventional  attacks,  in  the  denial-of-service 
attacks  that  accompanied  the  conventional  war  in  Georgia  in  2008,  or 
the  recent  sabotage  of  Iranian  centrifuges  by  the  Stuxnet  worm.  Deputy 
Defense  Secretary  William  Lynn  has  described  the  evolution  of  cyber 
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attacks  from  exploitation,  to  disruption  of  networks,  to  destruction  of 
physical  facilities.  He  argues  that  while  states  have  the  greatest  capabilities, 
nonstate  actors  are  more  likely  to  initiate  a  catastrophic  attack.8  A  “cyber 
9/11”  may  be  more  likely  than  the  often  mentioned  “cyber  Pearl  Harbor.” 

Nuclear  Lessons  for  Cyber  Security? 

Can  the  nuclear  revolution  in  military  affairs  seven  decades  ago  teach 
us  anything  about  the  current  cyber  transformation?  At  first  glance,  the 
answer  seems  to  be  no.  The  differences  between  the  technologies  are  just 
too  great.  The  National  Research  Council  cites  differences  in  the  threshold 
for  action  and  attribution — nuclear  explosions  are  unambiguous,  while 
cyber  intrusions  that  plant  logic  bombs  in  the  infrastructure  may  go  un¬ 
noticed  for  long  periods  before  being  used  and,  even  then,  can  be  diffi¬ 
cult  to  trace.9  Even  more  dramatic  is  the  sheer  destructiveness  of  nuclear 
technology.  Unlike  nuclear,  cyber  does  not  pose  an  existential  threat.  As 
Martin  Libicki  points  out,  destruction  or  disconnection  of  cyber  systems 
could  return  us  to  the  economy  of  the  1990s — a  huge  loss  of  GDP — but 
a  major  nuclear  war  could  return  us  to  the  Stone  Age.10  In  that  and  other 
dimensions,  comparisons  of  cyber  with  biological  and  chemical  weaponry 
might  be  more  apt. 

Moreover,  cyber  destruction  can  be  disaggregated,  and  small  doses  of 
destruction  can  be  administered  over  time.  While  there  are  many  degrees 
of  nuclear  destruction,  all  are  above  a  dramatic  threshold  or  firebreak.  In 
addition,  while  there  is  an  overlap  of  civilian  and  military  nuclear  technology, 
nuclear  originated  in  war,  and  the  differences  in  its  use  are  clearer  than  in 
cyber  where  the  Web  has  burgeoned  in  the  civilian  sector.  For  example, 
the  “dot  mil”  domain  name  is  only  a  small  part  of  the  Internet,  and  90 
percent  of  military  telephone  and  Internet  communications  travel  over 
civilian  networks.  Finally,  because  of  the  commercial  predominance  and 
low  costs,  the  barriers  to  entry  to  cyber  are  much  lower  for  nonstate  actors. 

While  nuclear  terrorism  is  a  serious  concern,  the  barriers  for  nonstate  actors 
gaining  access  to  nuclear  materials  remain  steep;  renting  a  botnet  to  wreak 
destruction  on  the  Internet  is  both  easy  and  cheap. 

It  would  be  a  mistake,  however,  to  neglect  the  past,  so  long  as  we 
remember  that  metaphors  and  analogies  are  always  imperfect.11  In 
words  often  attributed  to  Mark  Twain,  “History  never  repeats  itself,  but 
sometimes  it  rhymes.”  There  are  some  important  nuclear-cyber  strategic 
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rhymes,  such  as  the  superiority  of  offense  over  defense,  the  potential  use 
of  weapons  for  both  tactical  and  strategic  purposes,  the  possibility  of  first- 
and  second-use  scenarios,  the  possibility  of  creating  automated  responses 
when  time  is  short,  the  likelihood  of  unintended  consequences  and  cas¬ 
cading  effects  when  a  technology  is  new  and  poorly  understood,  and  the 
belief  that  new  weapons  are  “equalizers”  that  allow  smaller  actors  to  compete 
directly  but  asymmetrically  with  a  larger  state.12 

Even  more  important  than  these  technical  and  political  similarities  is 
the  learning  experience  as  governments  and  private  actors  try  to  under¬ 
stand  a  transformative  technology — and  adopt  strategies  to  cope  with  it. 

While  government  reports  warning  about  computer  and  Internet  vulner¬ 
ability  date  back  to  1991  and  the  Pentagon  recently  released  a  new  strategy, 
few  observers  would  argue  that  the  country  has  developed  an  adequate 
national  strategy  for  cyber  security.  It  is  worth  examining  the  uneven  and 
halting  history  of  nuclear  learning  to  alert  us  to  some  of  the  pitfalls  and 
opportunities  ahead  in  the  cyber  domain.  Ernest  May  once  described  US 
defense  policy  and  the  development  of  nuclear  strategy  in  the  first  half¬ 
decade  following  World  War  II  as  “chaotic.”13  He  would  likely  apply  the 
same  term  to  the  situation  in  cyberspace  today. 

Some  General  Lessons 

Expect  continuing  technological  change  to  complicate  early  efforts 
at  strategy.  At  the  beginning,  both  fissile  materials  and  atomic  bombs  were 
assumed  to  be  scarce,  and  it  was  considered  wasteful  to  use  atomic  bombs 
against  any  but  countervalue  targets — that  is,  cities.  Bernard  Brodie  and 
others  concluded  in  the  important  1 946  book  The  Absolute  Weapon  that 
superiority  in  numbers  would  not  guarantee  strategic  superiority,  deter¬ 
rence  of  war  was  the  only  rational  military  policy,  and  ensuring  survival  of 
the  retaliatory  arsenal  was  crucial.14  These  postulates  of  “finite”  or  “existen¬ 
tial”  deterrence  persisted  throughout  the  Cold  War  and  serve  as  the  basis 
for  the  nuclear  strategies  of  countries  such  as  France  and  China  to  this  day. 

In  the  bipolar  competition  of  the  Cold  War,  however,  the  strategy  of  finite 
deterrence  was  challenged  by  the  development  of  the  hydrogen  bomb  in 
the  early  1950s.  Destructive  power  was  no  longer  scarce  but  now  unlimited. 

While  hydrogen  bombs  could  lead  to  explosions  counted  in  the  tens  of 
megatons,  their  real  revolutionary  effect  was  to  permit  miniaturization, 
which  allowed  multiple  weapons  to  pack  huge  destructive  power  into  the 
nose  cones  of  another  technological  surprise — intercontinental  ballistic 
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missiles — which  shortened  response  times  to  less  than  an  hour.  This  bur¬ 
geoning  explosive  power  produced  great  concern  about  the  vulnerability 
of  limited  arsenals,  an  enormous  increase  in  the  number  of  weapons, 
diminished  prospects  for  active  defenses,  and  the  development  of  elabo¬ 
rate  counterforce  war-fighting  strategies. 

Both  superpowers  had  to  confront  the  “usability  paradox.”  If  the 
weapons  could  not  be  used,  they  could  not  deter.  The  United  States  and 
the  USSR  were  locked  in  a  positive-sum  game  that  involved  avoiding 
nuclear  war,  but  simultaneously  they  were  locked  in  a  zero-sum  game 
of  political  competition.  In  the  game  of  political  chicken,  perceptions  of 
credibility  became  crucial.  Some  prospect  of  usability  had  to  be  intro¬ 
duced  into  doctrine,  and  for  decades  strategists  wrestled  with  issues  of 
counterforce  targeting,  exploring  strategic  defense  technology,  and  the 
issues  of  perception  that  disparities  in  large  numbers  might  create  for 
extended  deterrence.  Elaborate  war-fighting  schemes  and  escalation  lad¬ 
ders  were  invented  by  a  nuclear  priesthood  of  experts  who  specialized  in 
arcane  and  abstract  formulas.  In  1976,  Paul  Nitze  and  the  Committee  on 
the  Present  Danger  expressed  alarm  about  American  weakness  when  the 
United  States  possessed  tens  of  thousands  of  weapons,  and  in  1979,  even 
Henry  Kissinger  predicted  that  because  of  American  nuclear  weakness, 

Soviet  risk-taking  “must  exponentially  increase.” 1?  In  fact,  the  opposite 
proved  to  be  the  case.  While  politicians  and  strategists  assailed  the  idea  of 
mutual  assured  destruction  as  an  immoral  and  dangerous  strategy,  MAD 
turned  out  to  be  a  fact,  not  a  policy.  As  McGeorge  Bundy  noted  in  his 
final  work,  when  it  came  to  the  Cuban  missile  crisis,  existential  deterrence 
worked,  and  a  few  Soviet  bombs  created  deterrence  despite  an  over¬ 
whelming  American  superiority  in  numbers.16 

Looking  at  todays  cyber  domain,  interdependence  and  vulnerability  are 
twin  facts  that  are  likely  to  persist,  but  we  should  expect  further  technological 
change  to  complicate  early  strategies.  ARPANET  was  created  in  1969, 
and  the  domain  name  system  and  the  first  viruses  date  back  to  1983; 
however,  as  noted  above,  the  mass  use  and  commercial  development  of 
cyberspace  date  only  from  the  invention  of  the  Worldwide  Web  in  1989 
and  widely  available  browsers  in  the  mid-1990s.17  As  one  expert  put  it, 

“As  recently  as  the  mid-1990s,  the  Internet  was  still  essentially  a  research 
tool  and  the  plaything  of  a  few.”18  In  other  words,  the  massive  vulner¬ 
abilities  that  have  created  the  security  problems  we  face  today  are  less  than 
two  decades  old  and  are  likely  to  increase.  While  some  experts  talk  about 
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reducing  vulnerability  by  reengineering  the  Internet  to  make  attribution 
of  attack  easier,  this  will  take  time.  Even  more  important,  it  will  not  close 
all  vectors  of  attack. 

Early  strategies  focused  on  the  network:  improving  code,  computer 
hygiene,  addressing  issues  of  attribution,  and  maintaining  air  gaps  for  the 
most  sensitive  systems.  These  steps  remain  important  components  of  a 
strategy,  but  they  are  far  from  sufficient.  In  some  ways,  the  invention  and 
explosion  in  the  usage  of  the  Web  is  analogous  to  the  hydrogen  revolution 
in  the  nuclear  era.  By  leading  society  and  the  economy  to  a  vast  depen¬ 
dence  on  networked  communications,  it  created  enormous  vulnerabilities 
that  could  be  exploited  not  only  through  the  Internet  but  also  through 
supply  chains,  devices  to  bridge  air  gaps,  human  agents,  and  manipulation 
of  social  networks.19  With  the  development  of  mobility,  cloud  comput¬ 
ing,  and  the  importance  of  a  limited  number  of  large  providers,  the  issues 
of  vulnerability  may  change  again.  Given  such  technological  volatility,  a  cyber 
security  strategy  will  have  to  be  multifaceted  and  capable  of  continual 
adaptation.  It  should  increase  the  ratio  of  work  that  an  attacker  must  do 
compared  to  that  of  a  defender  and  include  redundancy  and  resilience  to 
allow  graceful  degradation  of  complex  systems  so  that  inevitable  failures 
are  not  catastrophic.20  Strategists  need  to  be  alert  to  the  fact  that  today’s 
solutions  may  not  suffice  tomorrow. 

Strategy  for  a  new  technology  will  lack  adequate  empirical  content. 
Since  Nagasaki,  no  one  has  seen  a  nuclear  weapon  used  in  war.  As  Alain 
Enthoven,  one  of  Robert  McNamara’s  “whiz  kids”  of  the  early  1960s,  re¬ 
torted  during  a  Pentagon  argument  about  war  plans,  “General,  I  have  fought 
just  as  many  nuclear  wars  as  you  have.”21  With  little  empirical  grounding, 
it  was  difficult  to  set  limits  or  test  strategic  formulations.  Elaborate  con¬ 
structs  and  prevailing  political  fashion  led  to  expensive  conclusions  based 
on  abstract  formulas  and  relatively  little  evidence.  Fred  Kaplan  described 
the  environment  thusly: 

The  method  of  mathematical  calculation,  driven  mainly  from  the  theory  of  eco¬ 
nomics  that  they  had  all  studied,  gave  the  strategists  of  the  new  age  a  handle  on 
the  colossally  destructive  power  of  the  weapons  they  found  in  their  midst.  But 
over  the  years  the  method  became  a  catechism.  .  .  .  The  precise  calculations  and 
the  cool,  comfortable  vocabulary  were  coming  all  too  commonly  to  be  grasped 
not  merely  as  tools  of  desperation  but  as  genuine  reflections  of  the  nature  of 
nuclear  war.22 
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In  the  absence  of  empirical  evidence,  these  nuclear  theologians  were  able 
to  spend  vast  resources  on  their  hypothetical  scenarios. 

Cyber  has  the  advantage  that  with  widespread  attacks  by  hackers,  criminals, 
and  spies,  there  is  more  cumulative  evidence  of  a  variety  of  attack  mecha¬ 
nisms  and  of  the  strengths  and  weaknesses  of  various  responses  to  such 
attacks.  It  helps  that  cyber  destruction  can  be  disaggregated  in  a  way  that 
nuclear  cannot.  But  at  the  same  time,  no  one  has  yet  seen  a  cyber  war,  in 
the  strict  sense  of  the  word,  as  defined  above.  Denial-of-service  attacks  in 
Estonia  and  Georgia  and  industrial  sabotage  such  as  Stuxnet  in  Iran  give 
some  inklings  of  the  auxiliary  use  of  cyber  attacks,  but  they  do  not  test 
the  full  set  of  actions  and  reactions  in  a  cyber  war  between  states.  The  US 
government  has  conducted  a  number  of  war  games  and  simulations  and 
is  developing  a  cyber  test  range,  but  the  problems  of  unintended  conse¬ 
quences  and  cascading  effects  have  not  been  experienced.  The  problems 
of  escalation  as  well  as  the  implications  for  the  important  doctrines  of  dis¬ 
crimination  and  proportionality  under  the  Law  of  Armed  Conflict  remain 
unknown. 

New  technologies  raise  new  issues  in  civil-military  relations.  Differ¬ 
ent  parts  of  complex  institutions  like  governments  learn  different  lessons 
at  different  paces,  and  new  technologies  set  off  competition  among  bu¬ 
reaucracies.  At  the  beginning  of  the  nuclear  era,  political  leaders  developed 
institutions  to  maintain  civilian  control  over  the  new  technology,  creating 
an  Atomic  Energy  Agency  separate  from  the  military  as  a  means  of  ensur¬ 
ing  civilian  control.  Congress  established  a  Joint  Atomic  Energy  Committee. 

But  gaps  still  developed  in  the  relationship  between  civilians  and  the  mili¬ 
tary.  Operational  control  of  deployed  nuclear  weapons  came  under  the 
Strategic  Air  Command,  which  had  its  own  traditions,  standard  operat¬ 
ing  procedures,  and  a  strong  leader,  Curtis  LeMay.  In  1957,  LeMay  told 
Robert  Sprague,  the  deputy  director  of  the  civilian  Gaither  Committee 
that  was  investigating  the  vulnerability  of  American  nuclear  forces,  that 
he  was  not  too  concerned  because  “if  I  see  that  the  Russians  are  amassing 
their  planes  for  an  attack,  I’m  going  to  knock  the  s**t  out  of  them  before 
they  take  off  the  ground.”  Sprague  was  thunderstruck  and  replied,  “But 
General  LeMay,  that  is  not  national  policy,”  to  which  LeMay  replied,  “I 
don’t  care.  It’s  my  policy.  That’s  what  I’m  going  to  do.”23  In  1960,  when 
President  Eisenhower  ordered  the  development  of  a  single  integrated 
operational  plan  (SIOP-62),  SAC  produced  a  plan  for  a  massive  strike  with 
2,164  megatons  that  targeted  China  as  well  as  the  Soviet  Union  because  of 
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the  “Sino-Soviet  Bloc.”24  The  limited  nuclear  options  that  civilian  strategists 
theorized  about  as  part  of  a  bargaining  process  would  not  have  looked  very 
limited  from  the  point  of  view  of  the  Soviet  bargaining  partner — not  to 
mention  China. 

While  Cyber  Command  is  still  new  and  has  very  different  leadership 
from  the  old  Strategic  Air  Command,  cyber  security  does  present  some 
similar  problems  of  relating  civilian  control  to  military  operations.  Time 
is  even  shorter.  Rather  than  the  30  minutes  of  nuclear  warning  and  pos¬ 
sible  launch  under  attack,  today  there  would  be  300  milliseconds  between 
a  computer  detecting  that  it  was  about  to  be  attacked  by  hostile  malware 
and  a  preemptive  response  to  disarm  the  attack.  This  requires  not  only 
advanced  knowledge  of  malware  being  developed  in  potentially  hostile 
systems  but  also  an  automated  response.  What  happens  to  the  human 
factor  in  the  decision  loop?  Obviously,  there  is  no  time  to  go  up  the  chain 
of  command,  much  less  convene  a  deputies’  meeting  at  the  White  House. 

For  active  defense  to  be  effective,  authority  will  have  to  be  delegated  under 
carefully  thought-out  rules  of  engagement  developed  in  advance.  More¬ 
over,  there  are  important  questions  about  when  active  defense  shades  into 
retaliation  or  offense.  As  the  head  of  Cyber  Command  has  testified,  such 
legal  authorities  and  rules  still  remain  to  be  fully  resolved.25 

Civilian  uses  will  complicate  effective  national  security  strategies. 

Nuclear  energy  was  first  harnessed  for  military  purposes,  but  it  was  quickly 
seen  as  having  important  civilian  uses  as  well.  In  the  early  days  of  the  de¬ 
velopment  of  nuclear  energy,  it  was  claimed  that  electricity  would  become 
“too  cheap  to  meter”  and  cars  would  be  fueled  for  a  year  by  an  atomic 
pellet  the  size  of  a  vitamin  pill.26  The  engineers’  optimism  about  their  new 
technology  was  reinforced  by  a  political  desire  to  promote  the  civilian  uses 
of  nuclear  energy.  Fearful  that  antiwar  and  antinuclear  movements  would 
delegitimize  nuclear  weapons  and  thus  reduce  their  deterrent  value,  the 
Eisenhower  administration  promoted  an  Atoms  for  Peace  program  that 
offered  to  assist  in  the  promotion  of  nuclear  energy  worldwide.  Other 
countries  joined  in.  The  net  effect  was  to  create  a  powerful  domestic  and 
transnational  lobby  for  promotion  of  nuclear  energy  that  helped  provide 
India  with  the  materials  needed  for  its  nuclear  explosion  in  1974  and  jus¬ 
tified  the  French  sale  of  a  reprocessing  plant  to  Pakistan  and  a  German  sale 
of  enrichment  technology  to  Brazil  in  the  mid-1970s. 

The  Atomic  Energy  Commission  and  the  Joint  Atomic  Energy  Com¬ 
mittee  had  been  created  to  assure  civilian  control  of  nuclear  technology, 
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but  over  time  both  institutions  became  examples  of  regulatory  capture 
by  powerful  commercial  interests — more  interested  in  promotion  than 
regulation  and  security.  Late  in  the  Ford  administration,  both  institutions 
were  disbanded.  However,  after  the  oil  crisis  of  1974,  it  became  an  article 
of  faith  that  nuclear  would  be  the  energy  of  the  future;  that  uranium 
would  be  scarce,  and  thus  widespread  use  of  plutonium  and  breeder 
reactors  would  be  necessary.  When  the  Carter  administration,  following 
the  recommendations  of  the  nongovernmental  Ford-Mitre  Report,27  tried 
to  slow  the  development  of  this  plutonium  economy  in  1977,  it  ran  into  a 
buzz  saw  of  reaction  not  only  overseas  but  also  from  the  nuclear  industry 
and  its  congressional  allies  at  home. 

As  mentioned  earlier,  the  civilian  sector  plays  an  even  larger  role  in  the 
cyber  domain,  and  this  enormously  complicates  the  problem  of  develop¬ 
ing  a  national  security  strategy.  The  Internet  has  become  a  much  more 
significant  contributor  to  GDP  than  nuclear  energy  ever  was.  The  private 
sector  is  more  than  a  constraint  on  policy;  it  is  at  the  heart  of  the  activity 
that  policy  is  designed  to  protect.  Risk  is  inevitable,  and  redundancy  and 
resilience  after  attack  must  be  built  into  a  strategy.  Most  of  the  Internet 
and  its  infrastructure  belong  to  the  private  sector,  and  the  government  has 
only  modest  levers  to  use.  Proposals  to  create  a  central  agency  in  the  execu¬ 
tive  branch  and  a  joint  committee  on  cyber  security  in  Congress  might  be 
useful,  but  one  should  be  alert  to  the  dangers  of  regulatory  capture  and 
the  development  of  a  cyber  “iron  triangle”  of  executive  branch,  congres¬ 
sional,  and  industry  partners. 

From  a  security  perspective,  there  is  a  misalignment  of  economic  incen¬ 
tives  in  the  cyber  domain.28  Firms  have  an  incentive  to  provide  for  their 
own  security  up  to  a  point,  but  competitive  pricing  of  products  limits  that 
point.  Moreover,  firms  have  a  financial  incentive  not  to  disclose  intru¬ 
sions  that  could  undercut  public  confidence  in  their  products  and  stock 
prices.  A  McAfee  white  paper  notes,  “The  public  (and  very  often  the  in¬ 
dustry)  understanding  of  this  significant  national  security  threat  is  largely 
minimal  due  to  the  very  limited  number  of  voluntary  disclosures  by  vic¬ 
tims  of  intrusion  activity.”29  The  result  is  a  paucity  of  reliable  data  and  an 
underinvestment  in  security  from  the  national  perspective.  Moreover, 
laws  designed  to  ensure  competition  restrict  cooperation  among  private 
firms,  and  the  difficulty  of  ascertaining  liability  in  complex  software  limits 
the  role  of  the  insurance  market.  Public-private  partnerships  are  limited 
by  different  perspectives  and  mistrust.  As  one  participant  at  a  recent  cyber 
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security  conference  concluded,  something  bad  will  have  to  happen  before 
markets  begin  to  reprice  security.30 

International  Cooperation  Lessons 

Learning  can  lead  to  concurrence  in  beliefs  without  cooperation. 

Governments  act  in  accordance  with  their  national  interests,  but  they  can 
change  how  they  define  their  interests,  both  through  adjusting  their 
behavior  to  changes  in  the  structure  of  a  situation  as  well  as  through 
transnational  and  international  contacts  and  cooperation.  In  the  nuclear 
domain,  the  initial  learning  led  to  concurrence  of  beliefs  before  it  led  to 
contacts  and  cooperation.  The  first  effort  at  arms  control,  the  Baruch  Plan 
of  1946,  was  rejected  out  of  hand  by  the  Soviet  Union  as  a  ploy  to  preserve 
the  American  monopoly,  and  the  early  learning  was  unilateral  on  both  sides. 

As  we  have  seen,  much  of  what  passed  for  nuclear  knowledge  in  the  early 
days  was  abstraction  based  on  assumptions  about  rational  actors,  which 
made  it  difficult  for  new  information  to  alter  prior  beliefs.  Yet  gradually, 
both  sides  became  increasingly  aware  of  the  unprecedented  destructive 
power  of  nuclear  weapons  through  weapons  tests  and  modeling,  particu¬ 
larly  after  the  invention  of  the  hydrogen  bomb.  As  Winston  Churchill  put 
it  in  1955,  “The  atomic  bomb,  with  all  its  terrors,  did  not  carry  us  outside 
the  scope  of  human  control,”  but  with  the  H-bomb,  “the  entire  foundation 
of  human  affairs  was  revolutionized.”31  In  his  memorable  phrase,  “Safety 
will  be  the  sturdy  child  of  terror.”  On  the  other  side  of  the  Iron  Curtain, 

Nikita  Khrushchev  recalled:  “When  I  was  appointed  First  Secretary  of 
the  Central  Committee  and  learned  all  the  facts  about  nuclear  power  I 
couldn’t  sleep  for  several  days.  Then  I  became  convinced  that  we  could 
never  possibly  use  these  weapons,  and  I  was  able  to  sleep  again.  But  all  the 
same  we  must  be  prepared.”32  These  parallel  lessons  were  learned  indepen¬ 
dently.  It  was  not  until  1985  that  Ronald  Reagan  and  Mikhail  Gorbachev 
finally  declared  jointly  that  “a  nuclear  war  cannot  be  won  and  must  never 
be  fought.”  That  crucial  nuclear  taboo  has  existed  for  nearly  seven  decades 
and  was  well  ensconced  before  it  was  jointly  pronounced. 

A  second  area  where  concurrence  in  beliefs  developed  was  in  the  com¬ 
mand  and  control  of  weapons  and  the  dangers  of  escalation  as  the  two 
governments  accumulated  experience  of  false  alarms  and  accidents.  A 
third  area  related  to  the  spread  of  nuclear  weapons.  Both  the  United  States 
and  the  Soviet  Union  gradually  realized  that  sharing  nuclear  technology 
and  expecting  that  exports  could  remain  purely  peaceful  was  implausible. 
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A  fourth  area  of  common  knowledge  concerned  the  volatility  of  the  arms 
race  and  the  expenses  and  risks  that  it  entailed.  These  views  developed  in¬ 
dependently  and  in  parallel,  and  it  was  more  than  two  decades  before  they 
led  to  formal  cooperation.  Perfect  concurrence  of  beliefs  would  lead  to 
harmony,  which  is  very  rare  in  world  politics.  Cooperation  in  the  nuclear 
area  responded  to  both  some  concurrence  of  beliefs  as  well  as  actual  and 
anticipated  discord.33 

By  its  very  nature,  the  interconnected  cyber  domain  requires  a  degree 
of  cooperation  and  governments  becoming  aware  of  this  situation.  Some 
analysts  see  cyberspace  as  analogous  to  the  ungoverned  Wild  West,  but 
unlike  the  early  days  of  the  nuclear  domain,  cyberspace  has  a  number  of 
areas  of  private  and  public  governance.  Certain  technical  standards  related 
to  Internet  protocol  are  set  (or  not)  by  consensus  among  engineers  in¬ 
volved  in  the  nongovernmental  Internet  Engineering  Task  Force  (IETF), 
and  the  domain  name  system  is  managed  by  the  Internet  Corporation  for 
Assigned  Names  and  Numbers  (ICANN).  The  United  Nations  and  the 
International  Telecommunications  Union  (ITU)  have  tried  to  promulgate 
some  general  norms,  though  with  limited  success.  National  governments 
control  copyright  and  intellectual  property  laws  and  try  to  manage  prob¬ 
lems  of  security,  espionage,  and  crime  within  national  policies.  Though 
some  cooperative  frameworks  exist,  such  as  the  European  Convention  on 
Cyber  Crime,  they  remain  weak,  and  states  still  focus  on  the  zero-sum 
rather  than  positive-sum  aspect  of  these  games.  At  the  same  time,  a  de¬ 
gree  of  independent  learning  may  be  occurring  on  some  of  these  issues. 

For  example,  Russia  and  China  have  refused  to  sign  the  Convention  on 
Cyber  Crime  and  have  hidden  behind  plausible  deniability  as  they  have 
encouraged  intrusions  by  “patriotic  hackers.”  Their  attitudes  may  change, 
however,  if  costs  exceed  benefits.  For  example,  “Russian  cyber-criminals 
no  longer  follow  hands-off  rules  when  it  comes  to  motherland  targets,  and 
Russian  authorities  are  beginning  to  drop  the  laissez-faire  policy.”34  And 
China  is  independently  experiencing  increased  costs  from  cyber  crime.  As 
in  the  nuclear  domain,  independent  learning  may  pave  the  way  for  active 
cooperation  later. 

Learning  is  often  lumpy  and  discontinuous.  Farge  groups  and  orga¬ 
nizations  often  learn  by  crises  and  major  events  that  serve  as  metaphors  for 
organizing  and  dramatizing  diverse  sets  of  experiences.  The  Berlin  crises 
and  particularly  the  Cuban  missile  crisis  of  the  early  1960s  played  such 
a  role.  Having  come  close  to  the  precipice  of  war,  both  Kennedy  and 
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Khrushchev  drew  lessons  about  cooperation.  It  was  shortly  after  the  Cuban 
missile  crisis  that  Kennedy  gave  his  American  University  speech  that  laid 
the  basis  for  the  atmospheric  test  ban  discussions. 

Of  course  crises  are  not  the  only  way  to  learn.  The  experience  of  playing 
iterated  games  of  prisoner’s  dilemma  in  situations  with  a  long  shadow  of 
the  future  may  lead  players  to  learn  the  value  of  cooperation  in  maximizing 
their  payoffs  over  time.35  Early  steps  in  cooperation  in  the  nuclear  domain 
encouraged  later  steps,  without  requiring  a  change  in  the  competitive 
nature  of  the  overall  relationship.  These  governmental  steps  were  rein¬ 
forced  by  informal  “Track Two”  dialogues  such  as  the  Pugwash  Conferences. 

Thus  far  there  have  been  no  major  crises  in  the  cyber  domain,  though 
the  denial-of-service  attacks  on  Estonia  and  Georgia  and  the  Stuxnet  at¬ 
tack  on  Iran  give  hints  of  what  might  come.  As  mentioned  earlier,  some 
experts  think  that  markets  will  not  price  security  properly  in  the  private 
sector  until  there  is  some  form  of  visible  crisis.  But  other  forms  of  learning 
can  occur.  For  example  in  the  area  of  industrial  espionage,  China  has  had 
few  incentives  to  restrict  its  behavior  because  the  benefits  far  exceed  the 
costs.  Spying  is  as  old  as  human  history  and  does  not  violate  any  explicit 
provisions  of  international  law.  Nevertheless,  at  times  governments  have 
established  rules  of  the  road  for  limiting  espionage  and  engaged  in  pat¬ 
terns  of  tit-for-tat  retaliation  to  create  an  incentive  for  cooperation.  While 
it  is  difficult  to  envisage  enforceable  treaties  in  which  governments  agree 
not  to  engage  in  espionage,  it  is  plausible  to  imagine  a  process  of  iterations 
(tit  for  tat)  which  develops  rules  of  the  road  that  could  limit  damage  in 
practical  terms.  To  avoid  “defection  lock-in,”  which  leads  to  unwanted 
escalation,  it  helps  to  engage  in  discussions  that  can  develop  common  per¬ 
ceptions  about  redlines,  if  not  fully  agreed  norms,  as  gradually  developed 
in  the  nuclear  domain  after  the  Cuban  missile  crisis.36  Discussion  helps  to 
provide  a  broader  context  (a  “shadow  of  the  future”)  for  specific  differences, 
and  it  is  interesting  to  note  that  China  and  the  United  States  have  begun 
to  discuss  cyber  issues  in  the  context  of  their  broad  annual  Strategic  and 
Economic  Dialogue,  as  well  as  in  informal  Track  Two  settings. 

Learning  occurs  at  different  rates  in  different  issues  of  a  new  do¬ 
main.  While  the  US-Soviet  political  and  ideological  competition  limited 
their  cooperation  in  some  areas,  awareness  of  nuclear  destructiveness  led 
them  to  avoid  war  with  each  other  and  to  develop  what  Zbigniew  Brzezinski 
called  “a  code  of  conduct  of  reciprocal  behavior  guiding  the  competition, 
lessening  the  danger  that  it  could  become  lethal.”37  These  basic  rules  of 
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prudence  included  no  direct  fighting,  no  nuclear  use,  and  communica¬ 
tion  during  crisis.  More  specifically,  it  meant  the  division  of  Germany  and 
respect  for  spheres  of  influence  in  Europe  in  the  1950s  and  early  1960s 
and  a  compromise  on  Cuba.  On  the  issue  of  command  and  control,  con¬ 
cerns  about  crisis  management  and  accidents  led  to  the  hotline,  as  well  as 
the  Accidents  Measures  and  Incidents  at  Sea  meetings  of  the  early  1970s. 
Similarly,  on  the  issue  of  nonproliferation  the  two  sides  discovered  a  com¬ 
mon  interest  and  began  to  cooperate  in  the  mid-1960s,  well  before  the 
bilateral  arms  control  agreements  about  issues  of  arms  race  stability  in  the 
1970s.  Unlike  the  view  that  says  nothing  is  settled  in  a  deal  until  every¬ 
thing  is  settled,  nuclear  learning  and  agreements  proceeded  at  different 
rates  in  different  areas. 

The  cyber  domain  is  likely  to  be  analogous.  As  we  have  seen,  there 
are  already  some  agreements  and  institutions  that  relate  to  the  basic 
functioning  of  the  Internet,  such  as  technical  standards  as  well  as  names 
and  addresses,  and  there  is  the  beginning  of  a  normative  framework  for 
cyber  crime.  But  it  is  likely  to  take  longer  before  there  are  agreements  on 
contentious  issues  such  as  cyber  intrusions  for  purposes  like  espionage  and 
preparing  the  battlefield.  Nevertheless,  the  inability  to  envisage  an  overall 
agreement  need  not  prevent  progress  on  sub-issues.  Indeed,  the  best  pros¬ 
pects  for  success  may  involve  disaggregating  the  term  attacks  into  specific 
actions  that  could  be  addressed  separately. 

Involve  the  military  in  international  contacts.  As  mentioned  above, 
the  military  can  be  under  civilian  control  but  still  have  an  independent 
operational  culture  of  its  own.  By  its  nature  and  function,  it  is  charged 
with  entertaining  worst-case  assumptions.  It  does  not  necessarily  learn 
the  same  lessons  at  the  same  rate  as  its  civilian  counterparts.  Early  in  the 
SALT  talks,  Soviet  military  leaders  complained  about  the  American  habit 
of  discussing  sensitive  military  information  in  front  of  civilian  members  of 
the  Soviet  delegation.  The  practice  had  the  effect  of  broadening  communi¬ 
cation  within  the  Soviet  side.  At  the  same  time,  Soviet  military  leaders  had 
little  understanding  of  American  institutions  or  the  role  of  Congress  and 
how  that  would  affect  nuclear  issues.  Their  involvement  in  arms  talks  helped 
to  produce  a  more  sophisticated  generation  of  younger  leaders.  As  Foreign 
Minister  Andrei  Gromyko  put  it,  “It’s  hard  to  discuss  the  subject  with  the 
military,  but  the  more  contact  they  have  with  the  Americans,  the  easier  it 
will  be  to  turn  our  soldiers  into  something  more  than  just  martinets.”38 

[  52  ]  Strategic  Studies  Quarterly  ♦  Winter  20 1  I 

Disclaimer 

The  views  and  opinions  expressed  or  implied  in  the  SSQ  are  those  of  the  authors  and  should  not  be  construed  as 
carrying  the  official  sanction  of  the  United  States  Air  Force,  the  Department  of  Defense,  Air  Education  and  Training 
Command,  Air  University,  or  other  agencies  or  departments  of  the  US  government. 


We  encourage  you  to  e-mail  your  comments  to  us  at:  strategicstudiesquarterly@maxwell.af.mil. 

Nuclear  Lessons  for  Cyber  Security r> 


In  the  cyber  domain,  the  Chinese  People’s  Liberation  Army  plays  a 
major  role  in  recruitment,  training,  and  operations.  China  today  provides 
more  opportunities  for  PLA  generals  to  have  international  contacts  than 
was  true  for  Soviet  officers  during  the  Cold  War,  but  those  contacts  are 
still  limited.  Moreover,  while  political  control  over  the  Chinese  military 
is  strong,  operational  control  is  weak,  as  shown  by  a  number  of  recent 
incidents.  Indeed,  seven  of  the  nine  members  of  the  Standing  Military 
Commission  wear  uniforms,  and  there  is  no  National  Security  Council  or 
equivalent  to  coordinate  operational  details  across  the  government.  The 
lessons  from  the  nuclear  era  would  suggest  the  importance  of  involving 
PLA  officers  in  discussions  of  cyber  cooperation. 

Deterrence  is  complex  and  involves  more  than  just  retaliation.  Early 
views  of  deterrence  in  the  nuclear  era  were  relatively  simple  and  relied  on 
massive  retaliation  to  a  nuclear  attack.  Retaliation  remained  at  the  core 
of  deterrence  throughout  the  Cold  War,  but  as  strategists  confronted  the 
usability  dilemma  and  the  problems  of  extended  deterrence,  their  theories 
of  deterrence  became  more  complex.  While  a  second-strike  capability  and 
mutual  assured  destruction  may  have  been  enough  to  prevent  attacks  on 
the  homeland,  they  were  never  credible  for  issues  at  the  low  end  of  the 
spectrum  of  interests.  Somewhere  between  these  extremes  lay  extended 
deterrence  of  attacks  against  allies  and  defense  of  vulnerable  positions 
such  as  Berlin.  Nuclear  deterrence  was  supplemented  by  other  measures, 
such  as  forward  basing  of  conventional  forces,  declaratory  policy,  changes 
of  alert  levels,  and  force  movements. 

Many  analysts  argue  that  deterrence  does  not  work  in  cyberspace  be¬ 
cause  of  the  problem  of  attribution,  but  that  is  also  too  simple.  Interstate 
deterrence  through  entanglement  and  denial  still  exists  even  when  there  is 
inadequate  attribution.  Even  when  the  source  of  an  attack  can  be  success¬ 
fully  disguised  under  a  “false  flag,”  other  governments  may  find  themselves 
sufficiently  entangled  in  symmetrically  interdependent  relationships  that 
a  major  attack  would  be  counterproductive — witness  the  reluctance  of  the 
Chinese  government  to  dump  dollars  to  punish  the  United  States  after  it 
sold  arms  to  Taiwan  in  2010. 39  Unlike  the  single  strand  of  military  inter¬ 
dependence  that  linked  the  United  States  and  the  Soviet  Union  during 
the  Cold  War,  the  United  States,  China,  and  other  countries  are  entangled 
in  multiple  networks.  China,  for  example,  would  itself  lose  from  an  attack 
that  severely  damaged  the  American  economy,  and  vice  versa. 
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In  addition,  an  unknown  attacker  may  be  deterred  by  denial.  If  firewalls 
are  strong  or  the  prospect  of  a  self-enforcing  response  (“an  electric  fence”) 
seems  possible,  attack  becomes  less  attractive.  Offensive  capabilities  for 
immediate  response  can  create  an  active  defense  that  can  serve  as  a  deter¬ 
rent  even  when  the  identity  of  the  attacker  is  not  fully  known.  Futility 
can  also  help  deter  an  unknown  attacker.  If  the  target  is  well  protected  or 
redundancy  and  resilience  allow  quick  recovery,  the  risk-to-benefit  ratio  in 
attack  is  diminished.40  Moreover,  attribution  does  not  have  to  be  perfect, 
and  to  the  extent  that  false  flags  are  imperfect  and  rumors  of  the  source  of 
an  attack  are  widely  deemed  credible  (though  not  probative  in  a  court  of 
law),  reputational  damage  to  an  attacker’s  soft  power  may  contribute  to 
deterrence.  Finally,  a  reputation  for  offensive  capability  and  a  declaratory 
policy  that  keeps  open  the  means  of  retaliation  can  help  to  reinforce  de¬ 
terrence.  Of  course,  nonstate  actors  are  harder  to  deter,  and  improved  de¬ 
fenses  such  as  preemption  and  human  intelligence  become  important  in 
such  cases.  But  among  states,  nuclear  deterrence  was  more  complex  than 
it  first  looked,  and  that  is  doubly  true  of  deterrence  in  the  cyber  domain. 

Begin  arms  control  with  positive-sum  games  related  to  third  parties. 
Although  the  United  States  and  the  Soviet  Union  developed  some  tacit 
rules  of  the  road  about  prudent  behavior  early  on,  direct  negotiation  and 
agreements  concerning  arms  race  stability  or  force  structure  did  not  occur 
until  the  third  decade  of  the  nuclear  era.  Early  efforts  at  comprehensive 
arms  control  like  the  Baruch  Plan  were  total  nonstarters.  And  even  the 
eventual  SALT  agreements  were  of  limited  value  in  controlling  numbers 
of  weapons  and  involved  elaborate  verification  procedures  which  them¬ 
selves  sometimes  became  issues  of  contention.  The  first  formal  agreement 
was  the  Limited  Test  Ban  Treaty,  where  detection  of  atmospheric  tests  was 
easily  verifiable  and  it  could  be  considered  largely  an  environmental  treaty. 

The  second  major  agreement  was  the  Non-Proliferation  Treaty  of  1968, 
which  was  aimed  at  limiting  the  spread  of  nuclear  weapons  to  third  parties. 

Both  these  agreements  involved  positive-sum  games. 

In  the  cyber  domain,  the  global  nature  of  the  Internet  requires  international 
cooperation.  Some  people  call  for  cyber  arms  control  negotiations  and 
formal  treaties,  but  differences  in  cultural  norms  and  the  impossibility  of 
verification  make  such  treaties  difficult  to  negotiate  or  implement.  Such 
efforts  could  actually  reduce  national  security  if  asymmetrical  implemen¬ 
tation  put  legalistic  cultures  like  the  United  States  at  a  disadvantage  com¬ 
pared  to  societies  with  a  higher  degree  of  government  corruption.  At  the 
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same  time,  it  is  not  too  early  to  explore  international  talks  and  coopera¬ 
tion.  The  most  promising  early  areas  for  international  cooperation  are  not 
bilateral  conflicts,  but  problems  posed  by  third  parties  such  as  criminals 
and  terrorists. 

For  more  than  a  decade,  Russia  has  sought  a  treaty  for  broad  international 
oversight  of  the  Internet  and  “information  security”  banning  deception  or 
the  embedding  of  malicious  code  or  circuitry  that  could  be  activated  in 
the  event  of  war.  But  Americans  have  argued  that  arms  control  measures 
banning  offense  can  damage  defense  against  current  attacks  and  would 
be  impossible  to  verify  or  enforce.  And  declaratory  statements  of  “no  first 
use”  might  have  restraining  effects  on  legalistic  cultures  like  the  United 
States  while  having  less  effect  on  states  with  closed  societies.  Moreover, 
the  United  States  has  resisted  agreements  that  could  legitimize  authoritarian 
governments’  censorship  of  the  Internet.  Cultural  differences  present  a 
difficulty  in  reaching  any  broad  agreements  on  regulating  content  on  the 
Internet.  The  United  States  has  called  for  the  creation  of  “norms  of  be¬ 
havior  among  states”  that  “encourage  respect  for  the  global  networked 
commons,”  but  as  Jack  Goldsmith  has  argued,  “Even  if  we  could  stop 
all  cyber  attacks  from  our  soil,  we  wouldn’t  want  to.  On  the  private  side, 
hacktivism  can  be  a  tool  of  liberation.  On  the  public  side,  the  best  de¬ 
fense  of  critical  computer  systems  is  sometimes  a  good  offense.”41  From 
the  American  point  of  view,  Twitter  and  YouTube  are  matters  of  personal 
freedom;  seen  from  Beijing  or  Tehran,  they  are  instruments  of  attack.  Try¬ 
ing  to  limit  all  intrusions  would  be  impossible,  but  on  the  spectrum  of 
attacks  ranging  from  soft  hacktivism  to  hard  implanting  of  logic  bombs 
in  SCADA  (supervisory  control  and  data  acquisition)  systems,  one  could 
start  with  cyber  crime  and  cyber  terrorism  involving  nonstate  third  parties 
where  major  states  would  have  an  interest  in  limiting  damage  by  agreeing 
to  cooperate  on  forensics  and  controls.  States  might  start  with  acceptance 
of  responsibility  for  attacks  that  traverse  their  territory  and  a  duty  to  co¬ 
operate  on  forensics,  information,  and  remedial  measures.42  At  some  later 
points,  it  is  possible  that  such  cooperation  could  spread  to  state  activities 
at  the  hard  end  of  the  spectrum,  as  it  did  in  the  nuclear  domain. 

Conclusion 

Historical  analogies  are  always  dangerous  if  taken  too  literally,  and  the 
differences  between  nuclear  and  cyber  technologies  are  great.  The  cyber 
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domain  is  new  and  dynamic,  but  so  was  nuclear  technology  at  its  incep¬ 
tion.  It  may  help  to  put  the  problems  of  designing  a  strategy  for  cyber 
security  into  perspective,  particularly  the  aspect  of  cooperation  among 
states,  if  we  realize  how  long  and  difficult  it  was  to  develop  a  nuclear 
strategy,  much  less  international  nuclear  cooperation.  Nuclear  learning 
was  slow,  halting,  and  incomplete.  The  intensity  of  the  ideological  and 
political  competition  in  the  US-Soviet  relationship  was  much  greater  than 
that  between  the  United  States  and  Russia  or  the  United  States  and  China 
today.  There  were  far  fewer  positive  strands  of  interdependence  in  the 
relationship.  Yet  the  intensity  of  the  zero-sum  game  did  not  prevent  the 
development  of  rules  of  the  road  and  cooperative  agreements  that  helped 
to  preserve  the  concurrent  positive-sum  game. 

That  is  the  good  news.  The  bad  news  is  that  cyber  technology  gives  much 
more  power  to  nonstate  actors  than  does  nuclear  technology,  and  the  threats 
such  actors  pose  are  likely  to  increase.  The  transnational,  multiactor  games 
of  the  cyber  domain  pose  a  new  set  of  questions  about  the  meaning  of 
national  security.  Some  of  the  most  important  security  responses  must  be 
national  and  unilateral,  focused  on  hygiene,  redundancy,  and  resilience. 
It  is  likely,  however,  that  major  governments  will  gradually  discover  that 
cooperation  against  the  insecurity  created  by  nonstate  actors  will  require 
greater  priority  in  attention.  The  world  is  a  long  distance  from  such  a 
response  at  this  stage  in  the  development  of  cyber  technology.  But  such 
responses  did  not  occur  until  we  approached  the  third  decade  of  the  nuclear 
era.  With  the  World  Wide  Web  only  two  decades  old,  may  we  be  approach¬ 
ing  an  analogous  point  in  the  political  trajectory  of  cyber  security? 
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